Profile

CommunityPlatform_1350x900.jpg

Michael Menne

Edit My Profile

My Content

1 to 20 of 44 total

RE: Verification for MFA or password resets

Posted By Michael Menne 05-10-2024 10:32:42 AM
Found In Egroup: Cybersecurity \ view thread
We will only do an in-person or Zoom meeting verification with a valid picture ID that shows the person's face. Passport, Driver's License, Campus ID are the typical ones. We treat Students and Faculty/Staff the same as far as identity verification. Michael Menne, CISSP, C-CISO Chief Information ...

RE: HIPAA and Clery Act - pertaining to new joint endeavor

Posted By Michael Menne 04-04-2024 12:43:00 PM
Found In Egroup: Cybersecurity and Privacy Governance, Risk, and Compliance \ view thread
If it's a university owned space and the cameras are not for healthcare reasons, I would defer to campus security. If the cameras are for healthcare reasons, then the data would be HIPAA covered data and I would defer to the healthcare company in that case. If they are simply for monitoring "public" ...

RE: When to require Full HECVAT / When to accept Lite HECVAT?

Posted By Michael Menne 02-27-2024 05:26:39 PM
Found In Egroup: HECVAT Users \ view thread
I used to almost always require the FULL HECVAT. With the updated v3, I find the lite version to be sufficient for most applications. In cases where we are involving highly sensitive or regulated data, I will require the full version (PCI, HIPAA, etc). If the company has a recent SOC 2 Type 2 repot and ...

RE: HHS Guidance on Use of Web Trackers for HIPAA Covered Entities

Posted By Michael Menne 02-19-2024 01:05:00 PM
Found In Egroup: Cybersecurity and Privacy Governance, Risk, and Compliance \ view thread
This would only apply to an application / website that has PII associated with it. In our environment, I can't think of any application within our HIPAA functions that would have this type of tracking ability. I would have SERIOUS fundamental concerns about privacy and security of the company and application ...

RE: Bing Chat ( Microsoft Copilot)

Posted By Michael Menne 01-17-2024 01:19:55 PM
Found In Egroup: Cybersecurity \ view thread
We haven't blocked them. Blocking them provides a false sense of security. We have taken the approach of education instead. Blocking sites like these are playing Whack-a-mole. Our legal also doesn't get involved in these low level types of decisions. Michael Menne, CISSP, C-CISO Chief Information ...

RE: Quick Poll: Data Classification

Posted By Michael Menne 11-28-2023 07:42:00 AM
Found In Egroup: NIST 800-171 Compliance \ view thread
Our data classification is very similar to Umch. We have 3 classifications (4 if you count directory data as another classification). Low, Restricted, and Highly Restricted. Low is outlined as a general concept of data. Highly Restricted is a very defined set of PII that could compromise someone's ...

RE: Student MFA Exemption

Posted By Michael Menne 11-02-2023 07:15:54 AM
Found In Egroup: Cybersecurity \ view thread
We have roughly 15,000 students and have zero permanent exemptions for students. We evaluate each one on a case by case basis. The MS Authenticator app has accessibility built into it. I don't recall any requests involving a student with a disability. We implemented Microsoft MFA 3 years ago campus wide. ...

RE: Microsoft requiring Authenticator App for MFA

Posted By Michael Menne 09-15-2023 02:59:32 PM
Found In Egroup: CIO \ view thread
It's only a matter of time before they do kill off voice and SMS. Turning off the Microsoft managed deployment is only kicking the can down the road (maybe for a while yet). Michael Menne, CISSP, C-CISO Chief Information Security Officer IT Solutions Information Security Minnesota State University, ...

RE: Auditor Access

Posted By Michael Menne 08-22-2023 11:46:22 AM
Found In Egroup: CIO \ view thread
We do not give auditors direct access to systems. If they need validation, we provide screenshots. If they want to see it real-time and take their own screenshots, we would do it for them and allow them to join a remote session of some type. Michael Menne, CISSP, C-CISO Chief Information Security ...

RE: Question about reviewing technology acquisitions

Posted By Michael Menne 08-22-2023 09:47:18 AM
Found In Egroup: CIO \ view thread
Anything purchased on a p-card or employee expense reimbursement gets flagged by our business office and forwarded to me for a review. We then run it thorugh our standard intake and review process before approving the expense. Michael Menne, CISSP, C-CISO Chief Information Security Officer IT ...

RE: Mac Patching Questions

Posted By Michael Menne 08-17-2023 09:09:33 AM
Found In Egroup: Cybersecurity \ view thread
We used to use Ivanti Endpoint Management Security Suite for patching. It supported both macOS and Windows. The Mac support fell off a cliff in recent years. We are in the process of testing ManageEngine Patch Manager Plus. We just started, so haven't gotten too far. So far it looks promising. Michael ...

RE: O365 vs Google

Posted By Michael Menne 07-25-2023 09:00:21 AM
Found In Egroup: CIO \ view thread
If you are already on M365, administrators will find Google to be a huge challenge. The integrations between products aren't as tight as they are within M365. I've worked in both platforms as an administrator. I find Google to be frustrating and nowhere near as technically capable as M365 for a larger ...

RE: NSC Breach

Posted By Michael Menne 06-29-2023 09:50:11 AM
Found In Egroup: Cybersecurity \ view thread
Cl0p has claimed that they deleted any government data they compromised. That's likely what It's no longer on their victim website. Whether they actually did or not is anyone's guess. Michael Menne, CISSP, C-CISO Chief Information Security Officer IT Solutions Information Security Minnesota State ...

RE: Blocking ChatGPT

Posted By Michael Menne 02-16-2023 09:04:04 AM
Found In Egroup: Cybersecurity \ view thread
I also think that blocking stuff that can and will be used is futile. People will always find a way to use it. Instead, a minor at our university has explicitly created an assignment that the students must use ChatGPT to come up with some paper, and the students must analyze that paper and evaluate the ...

RE: Blocking ChatGPT

Posted By Michael Menne 02-15-2023 12:41:35 PM
Found In Egroup: Cybersecurity \ view thread
ChatGPT is not a technology we will be able to block. It's here and it's here to stay. Maybe not ChatGPT per se, but the concept is here to stay. Are we going to block browsers because they can be used to download hacking tools? Are we going to block email because people can be phished or compromised ...

RE: MS Defender - Shared Devices

Posted By Michael Menne 01-26-2023 08:22:32 AM
Found In Egroup: Cybersecurity \ view thread
We are going through this now. The A3/A5 license only cover the licensed employee and their devices (up to 5). Student employees, labs, and other shared workstations do not fall under the A3/P1 or A5/P2 license. Microsoft didn't have this option to begin with, but has now released a shared workstation ...

RE: PCI compliance requirements for merchants like Shopify?

Posted By Michael Menne 01-19-2023 07:50:17 AM
Found In Egroup: Cybersecurity \ view thread
This was told to me by our ISA this week when I asked about our call center. This page seems to contradict this. I'll see if I can find an official reference. "How Does Taking Credit Cards by Phone Work with PCI?" - PCI Compliance Guide Michael Menne, CISSP Chief Information Security Officer ...

RE: PCI compliance requirements for merchants like Shopify?

Posted By Michael Menne 01-19-2023 07:19:36 AM
Found In Egroup: Cybersecurity \ view thread
Now, as mentioned by Jason, if you have hardware credit card readers on your network, you are in scope for compliance because as he mentioned you are touching and processing cards AND cardholder data will traverse your network, firewall, and Internet connection. This is negated if your terminals are ...

RE: TikTok Policy

Posted By Michael Menne 01-18-2023 07:40:58 AM
Found In Egroup: CIO \ view thread
We haven't written any policy and haven't received any guidance from our State government about banning it. We will likely issue a statement about it with our cybersecurity awareness campaigns and upcoming privacy week campaign. If we were to go as far as banning it without a state mandate, it would ...

RE: LastPass Breach

Posted By Michael Menne 01-09-2023 11:53:42 AM
Found In Egroup: Cybersecurity \ view thread
We have some active social media channels that we'll be publishing some information on. January 28 is International Privacy Day. We are planning on a week long communications campaign on privacy. LastPass will be part of that privacy campaign as well as social media and a handful of other things. ...